A vulnerability in software that runs on some 12 million home routers underscores the challenge of managing the security of embedded systems and so-called “customer premises equipment.” (Image courtesy of foodiggity.com)

On Friday, the firm Allegro Software of Boxborough, Massachusetts, released an odd-sounding statement encouraging all its customers to “maintain firmware for highest level of embedded device security.”

Specifically, Allegro wanted to warn customers about the need to apply a software update to address two recently discovered vulnerabilities affecting its Rom Pager embedded web server: CVE-2014-9222 and CVE-2014-9223, collectively known as the “Misfortune Cookie” vulnerabilities. That patch in question was released almost ten years ago – in 2005.

As reported widely last week, the vulnerabilities affecting the Rom Pager software can be found in some 12 million broadband routers by manufacturers including Linksys, D-Link, Huawei, TP-Link, ZTE and Edimax. In short: some of the most common sellers of broadband routers in the world.

The security firm CheckPoint discovered the vulnerabilities and issued a report about them. (The report web site is here and a PDF format report is here.) According to CheckPoint, the Misfortune Cookie vulnerability has to do with a flaw in the HTTP cookie management mechanism in the Rom Pager software. The flaw allows an attacker to send specially crafted HTTP cookies that exploit the vulnerability.

A successful attack that exploited the “Misfortune Cookie” vulnerabilities could corrupt memory and alter the application and system state. A knowledgeable attacker could use the flow to force the vulnerable router to treat the current HTTP session with administrative privileges. That would give them the ability to manipulate the home router: changing DNS settings to redirect users to malicious servers under the attackers control, for example, or employing the home router itself in a botnet used for denial of service attacks or spam campaigns.

Nasty stuff – to be sure. But that brings us back to the Allegro statement from Friday. Because, as the company said, “Misfortune Cookie” wasn’t news to Allegro – it had identified and patched the holes in a software update back in 2005.

As often is the case in the embedded systems space, however, that software update wasn’t circulated to devices that bundle Rom Pager in the field. Allegro, which is now shipping Rom Pager version 5.40, said it doesn’t have the ability to update devices running its software.

“Unfortunately, not all manufacturers using Allegro Software products have updated their devices with the latest Rom Pager software component,” the company wrote.

Consider that for a moment – buying a new laptop computer from Dell, or HP only to find that it shipped with Office 97 installed – and the (many) security holes that go along with that software? Users would be outraged.

In the embedded systems space, however, this kind of practice is common. As Allegro notes in its message to customers: “In some cases, manufacturers continue to make and sell products with software components that are over 13 years old, which can expose products to security concerns.”

CheckPoint’s research note explains that applications like Rom Pager are often bundled with chipsets that are used to construct devices like home routers. “The way application updates are integrated in router firmware, many devices ship with the vulnerable version in place,” Check Point noted.

To patch Misfortune Cookie, router manufacturers will first need to get a patched version of Rom Pager, then integrate it into the current firmware for each vulnerable router model. Then they’ll need to install that firmware on the vulnerable routers. Considering that ISPs are loath to modify CPE (customer premises equipment) for fear of disabling features, and that most customers wouldn’t know their home router from a clock radio, you can see why – ten years after the fact – millions of home routers remain vulnerble while Allegro’s patch gathers dust.

Security vulnerabilities affecting small office and home office (SoHo) equipment are a pressing issue, as cyber criminal groups are increasingly going after the loosely managed, Internet connected devices. In October, the firm Rapid7 warned of implementation and configuration vulnerabilities in NAT-PMP features in more than 1 million SoHo routers that makes them potentially vulnerable to remote attacks that could expose private internal network traffic to prying eyes.

Author: PaulI'm an experienced writer, reporter and industry analyst with a decade of experience covering IT security, cyber security and hacking, and a fascination with the fast-emerging "Internet of Things."